AuthorizationDB.h

/* * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ *//* * AuthorizationDB.h -- APIs for managing the authorization policy database * and daemons. */#ifndef _SECURITY_AUTHORIZATIONDB_H_#define _SECURITY_AUTHORIZATIONDB_H_#include <Security/Authorization.h>#include <CoreFoundation/CoreFoundation.h>#if defined(__cplusplus)extern"C" {
#endif/*! @header AuthorizationDB Version 1.0 This API allows for any programs to get, modify, delete and add new right definitions to the policy database. Meta-rights specify whether and what authorization is required to make these modifications. AuthorizationRightSet(NULL, "com.ifoo.ifax.send", CFSTR(kRuleIsAdmin), CFSTR("You must authenticate to send a fax."), NULL, NULL) add a rule for letting admins send faxes using a canned rule, delegating to a pre-specified rule that authorizes everyone who is an admin. AuthorizationRightSet(NULL, "com.ifoo.ifax.send", [[CFSTR(kRightRule), CFSTR(kRuleIsAdmin)], [CFSTR(kRightComment), CFSTR("authorizes sending of 1 fax message")]], CFSTR("Authorize sending of a fax"), NULL, NULL) add identical rule, but specify additional attributes this time. Keep in mind while specifying a comment to be specific about what you need to authorize for (1 fax), in terms of a general message for user. The means of proof required for kRuleIsAdmin (enter username/password for example) should not be included here, since it could be configured differently.*//*! @define kRightRule rule delegation key. Instead of specifying exact behavior some canned rules are shipped that may be switched by configurable security.*/#define kAuthorizationRightRule "rule"/*! @defined kRuleIsAdmin canned rule values for use with rule delegation definitions: require user to be an admin.*/#define kAuthorizationRuleIsAdmin "is-admin"/*! @defined kRuleAuthenticateAsSessionUser canned rule value for use with rule delegation definitions: require user to authenticate as the session owner (logged-in user).*/#define kAuthorizationRuleAuthenticateAsSessionUser "authenticate-session-user"/*! @defined kRuleAuthenticateAsAdmin Canned rule value for use with rule delegation definitions: require user to authenticate as admin.*/#define kAuthorizationRuleAuthenticateAsAdmin "authenticate-admin"/*! @defined kAuthorizationRuleClassAllow Class that allows anything.*/#define kAuthorizationRuleClassAllow "allow"/*! @defined kAuthorizationRuleClassDeny Class that denies anything. */#define kAuthorizationRuleClassDeny "deny"/*! @defined kAuthorizationComment comments for the administrator on what is being customized here; as opposed to (localized) descriptions presented to the user.*/#define kAuthorizationComment "comment"/*! @function AuthorizationRightGet Retrieves a right definition as a dictionary. There are no restrictions to keep anyone from retrieving these definitions. @param rightName (input) the rightname (ASCII). Wildcard rightname definitions are okay. @param rightDefinition (output/optional) the dictionary with all keys defining the right. See documented keys. Passing in NULL will just check if there is a definition. The caller is responsible for releasing the returned dictionary. @result errAuthorizationSuccess 0 No error. errAuthorizationDenied -60005 No definition found.*/
OSStatus AuthorizationRightGet(constchar *rightName,
CFDictionaryRef *rightDefinition);
/*! @function AuthorizationRightSet Create or update a right entry. Only normal rights can be registered (wildcard rights are denied); wildcard rights are considered to be put in by an administrator putting together a site configuration. @param authRef (input) authRef to authorize modifications. @param rightName (input) the rightname (ASCII). Wildcard rightnames are not okay. @param rightDefinition (input) a CFString of the name of a rule to use (delegate) or CFDictionary containing keys defining one. @param descriptionKey (input/optional) a CFString to use as a key for looking up localized descriptions. If no localization is found this will be the description itself. @param bundle (input/optional) a bundle to get localizations from if not the main bundle. @param localeTableName (input/optional) stringtable name to get localizations from. @result errAuthorizationSuccess 0 added right definition successfully. errAuthorizationDenied -60005 Unable to create or update right definition. errAuthorizationCanceled -60006 Authorization was canceled by user. errAuthorizationInteractionNotAllowed -60007 Interaction was required but not possible.*/
OSStatus AuthorizationRightSet(AuthorizationRef authRef,
constchar *rightName,
CFTypeRef rightDefinition,
CFStringRef descriptionKey,
CFBundleRef bundle,
CFStringRef localeTableName);
/*! @function AuthorizationRightRemove Request to remove a right from the policy database. @param authRef (input) authRef, to be used to authorize this action. @param rightName (input) the rightname (ASCII). Wildcard rightnames are not okay.*/
OSStatus AuthorizationRightRemove(AuthorizationRef authRef,
constchar *rightName);
#if defined(__cplusplus)}
#endif#endif /* !_SECURITY_AUTHORIZATIONDB_H_ */